acme-dns not listening to register api

[rhufsky]

I have installed acme-dns on Ubuntu 18.04 on a server that runs in a DMZ behind a firewall. Only port 53 is exposed to the outside. So far I have

• a subdomain sc.ourdomain.tld
• an A record for sc.ourdomain.tld that points to the public address of our acme-dns server
• NO CNAME record that points to a txt record
• hopefully everything on acme-dns

When I start acme-dns I can verify that it acts as a DNS server from both inside the DMZ and from the internet.

When I try to call the register API I get no answer. acme-dns does not seem to listen on port 80 or port 443.

Watching syslog I find that acme-dns tries to get a certificate from letsencrypt. This does not work because the CNAME record is missing.

As I can not call the register API I cannot create the CNAME record. So I am a bit stuck. Did I miss something?

[joohoi]

Hi! From your writeup it seems that you're missing the crucial NS record for the domain. The CNAME is not needed for acme-dns instance itself as it handles all that internally.

[rhufsky]

Thanks for the quick answer.

A bit of forensic seems to tell me that yes, I have the crucial NS record, but no, our DNS provider does not forward the queries to acme-dns -> recursion requested but not available.

[pdavisfmnh]

I'm having the same issue, I think. I can't start acme-dns as it fails to obtain its own certificate.

INFO[0000] Using config file                             file=/etc/acme-dns/config.cfg
INFO[0000] Connected to database                        
DEBU[0000] Adding new record to domain                   domain=acme.fieldmuseum.org. recordtype=A
DEBU[0000] Adding new record to domain                   domain=acme.fieldmuseum.org. recordtype=NS
DEBU[0000] Adding new record to domain                   domain=acme.fieldmuseum.org. recordtype=SOA
INFO[0000] Listening DNS                                 addr="0.0.0.0:53" proto=udp4
INFO[0000] Listening DNS                                 addr="0.0.0.0:53" proto=tcp4
INFO[0000] 2019/11/30 20:07:10 [INFO][cache:0xc0000b04b0] Started certificate maintenance routine 
INFO[0000] 2019/11/30 20:07:11 [INFO][acme.fieldmuseum.org] Obtain certificate 
INFO[0000] 2019/11/30 20:07:11 [INFO][acme.fieldmuseum.org] Obtain: Waiting on rate limiter... 
INFO[0000] 2019/11/30 20:07:11 [INFO][acme.fieldmuseum.org] Obtain: Done waiting 
INFO[0000] [INFO] [acme.fieldmuseum.org] acme: Obtaining bundled SAN certificate 
INFO[0000] [INFO] [acme.fieldmuseum.org] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/24407058 
INFO[0000] [INFO] [acme.fieldmuseum.org] acme: Could not find solver for: tls-alpn-01 
INFO[0000] [INFO] [acme.fieldmuseum.org] acme: Could not find solver for: http-01 
INFO[0000] [INFO] [acme.fieldmuseum.org] acme: use dns-01 solver 
INFO[0000] [INFO] [acme.fieldmuseum.org] acme: Preparing to solve DNS-01 
INFO[0000] [INFO] [acme.fieldmuseum.org] acme: Trying to solve DNS-01 
INFO[0000] [INFO] [acme.fieldmuseum.org] acme: Checking DNS record propagation using [10.10.10.122:53 10.10.10.15:53] 
INFO[0000] [INFO] Wait for propagation [timeout: 1m0s, interval: 2s] 
INFO[0005] [INFO] [acme.fieldmuseum.org] acme: Cleaning DNS-01 challenge 
INFO[0005] [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/24407058 
INFO[0005] [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/24407058 
INFO[0005] 2019/11/30 20:07:16 [ERROR][acme.fieldmuseum.org] failed to obtain certificate: acme: Error -> One or more domains had a problem: 
INFO[0005] [acme.fieldmuseum.org] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.acme.fieldmuseum.org, url: (attempt 1/3; challenge=dns-01) 
INFO[0006] [INFO] [acme.fieldmuseum.org] acme: Obtaining bundled SAN certificate 
INFO[0006] [INFO] [acme.fieldmuseum.org] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/24407069 
INFO[0006] [INFO] [acme.fieldmuseum.org] acme: Could not find solver for: tls-alpn-01 
INFO[0006] [INFO] [acme.fieldmuseum.org] acme: Could not find solver for: http-01 
INFO[0006] [INFO] [acme.fieldmuseum.org] acme: use dns-01 solver 
INFO[0006] [INFO] [acme.fieldmuseum.org] acme: Preparing to solve DNS-01 
INFO[0006] [INFO] [acme.fieldmuseum.org] acme: Trying to solve DNS-01 
INFO[0006] [INFO] [acme.fieldmuseum.org] acme: Checking DNS record propagation using [10.10.10.122:53 10.10.10.15:53] 
INFO[0006] [INFO] Wait for propagation [timeout: 1m0s, interval: 2s] 
INFO[0006] [INFO] [acme.fieldmuseum.org] acme: Cleaning DNS-01 challenge 
INFO[0007] [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/24407069 
INFO[0007] [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/24407069 
INFO[0007] 2019/11/30 20:07:18 [ERROR][acme.fieldmuseum.org] failed to obtain certificate: acme: Error -> One or more domains had a problem: 
INFO[0007] [acme.fieldmuseum.org] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.acme.fieldmuseum.org, url: (attempt 2/3; challenge=dns-01) 
INFO[0008] [INFO] [acme.fieldmuseum.org] acme: Obtaining bundled SAN certificate 
INFO[0008] [INFO] [acme.fieldmuseum.org] AuthURL: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/24407080 
INFO[0008] [INFO] [acme.fieldmuseum.org] acme: Could not find solver for: tls-alpn-01 
INFO[0008] [INFO] [acme.fieldmuseum.org] acme: Could not find solver for: http-01 
INFO[0008] [INFO] [acme.fieldmuseum.org] acme: use dns-01 solver 
INFO[0008] [INFO] [acme.fieldmuseum.org] acme: Preparing to solve DNS-01 
INFO[0008] [INFO] [acme.fieldmuseum.org] acme: Trying to solve DNS-01 
INFO[0008] [INFO] [acme.fieldmuseum.org] acme: Checking DNS record propagation using [10.10.10.122:53 10.10.10.15:53] 
INFO[0008] [INFO] Wait for propagation [timeout: 1m0s, interval: 2s] 
INFO[0013] [INFO] [acme.fieldmuseum.org] acme: Cleaning DNS-01 challenge 
INFO[0013] [INFO] Deactivating auth: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/24407080 
INFO[0013] [INFO] Unable to deactivate the authorization: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/24407080 
INFO[0013] 2019/11/30 20:07:24 [ERROR][acme.fieldmuseum.org] failed to obtain certificate: acme: Error -> One or more domains had a problem: 
INFO[0013] [acme.fieldmuseum.org] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.acme.fieldmuseum.org, url: (attempt 3/3; challenge=dns-01) 
FATA[0014] acme.fieldmuseum.org: obtaining certificate: failed to obtain certificate: acme: Error -> One or more domains had a problem:
[acme.fieldmuseum.org] acme: error: 400 :: urn:ietf:params:acme:error:dns :: DNS problem: NXDOMAIN looking up TXT for _acme-challenge.acme.fieldmuseum.org, url:

I never see it respond to DNS queries for TXT records on the main while attempting to get its certificate. So it should be responding to all *.acme.fieldmuseum.org requests, right? If I use a DNS checking tool while it is starting up for _acme-challenge.acme.fieldmuseum.org I see DEBUG comments from the DNS server.

DEBU[0014] Answering question for domain                 domain=_acme-challenge.acme.fieldmuseum.org. qtype=TXT rcode=NOERROR
DEBU[0014] Answering question for domain                 domain=_acme-challenge.acme.fieldmuseum.org. qtype=TXT rcode=NOERROR

So I'm at a lost on where the breakdown is in my setup.

[joohoi]

@pdavisfmnh is acme-dns serving the records for ns1.acme.fieldmuseum.org and ns2.acme.fieldmuseum.org correctly? Currently it doesn't look like it does, only ns2.acme.fieldmuseum.org resolves:

▶ dig acme.fieldmuseum.org ns

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> acme.fieldmuseum.org ns
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13212
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;acme.fieldmuseum.org.      IN  NS

;; ANSWER SECTION:
acme.fieldmuseum.org.   3600    IN  NS  ns1.acme.fieldmuseum.org.
acme.fieldmuseum.org.   3600    IN  NS  ns2.acme.fieldmuseum.org.

;; Query time: 278 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Dec 02 20:41:07 EET 2019
;; MSG SIZE  rcvd: 85

▶ dig ns1.acme.fieldmuseum.org 

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> ns1.acme.fieldmuseum.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 40189
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ns1.acme.fieldmuseum.org.  IN  A

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Dec 02 20:43:59 EET 2019
;; MSG SIZE  rcvd: 53

▶ dig ns2.acme.fieldmuseum.org

; <<>> DiG 9.11.3-1ubuntu1.11-Ubuntu <<>> ns2.acme.fieldmuseum.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19057
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;ns2.acme.fieldmuseum.org.  IN  A

;; ANSWER SECTION:
ns2.acme.fieldmuseum.org. 3420  IN  A   107.0.125.101

;; Query time: 22 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Mon Dec 02 20:44:15 EET 2019
;; MSG SIZE  rcvd: 69

[pdavisfmnh]

This is what I get for working on things when I'm supposed to be on vacation. Fixed the DNS issue and magically it's working right.

It's not DNS. It's DNS.

[joohoi]

Great to hear that you got it fixed!

It's not DNS. It's DNS.

Is this a reference to the DNS haiku:

It's not DNS
There's no way it's DNS
It was DNS

[bezaleel22]

This is what I get for working on things when I'm supposed to be on vacation. Fixed the DNS issue and magically it's working right.

It's not DNS. It's DNS.

Please am also facing thesame issue, how were you able to solve this problem thanks. Below is my dig output

~$ dig ns @16.54.132.200 acme.techbezaleel.net

; <<>> DiG 9.11.3-1ubuntu1.12-Ubuntu <<>> ns @16.54.132.200 acme.techbezaleel.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60583
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;acme.techbezaleel.net.INNS

;; AUTHORITY SECTION:
acme.techbezaleel.net. 300   IN   NS      ns1.acme.techbezaleel.net.

;; ADDITIONAL SECTION:
ns1.acme.techbezaleel.net. 300   IN   A   78.18.11.2

;; Query time: 67 msec
;; SERVER: 16.54.132.200#53(156.154.132.200)
;; WHEN: Mon Jun 08 23:05:38 PDT 2020
;; MSG SIZE  rcvd: 88

[webprofusion-chrisc]

Check dig from outside your network (like on a cloud vm). Your port 53 is probably not open (for remote DNS queries), so your https/https port probably isn't open either.

[bezaleel22]

Thanks for the reply, i will comfirm this with dig and nmap and get back

[bezaleel22]

the following are the outputs i have recieved: cur from my local machine

curl -X POST http://acme.techbezaleel.net:53/register
curl: (6) Could not resolve host: acme.techbezaleel.net

firewall on my server...

$ sudo ufw status
Status: active

To                         Action      From
--                         ------      ----
22/tcp                     ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
443/tcp                   ALLOW       Anywhere                  
53/tcp                     ALLOW       Anywhere                  
53/udp                    ALLOW       Anywhere  

dig from my local machine

dig txt @56.54.133.200 _acme-challenge.techbezaleel.net

; <<>> DiG 9.11.5-P4-5.1ubuntu2.2-Ubuntu <<>> txt @156.154.133.200 _acme-challenge.techbezaleel.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24075
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;_acme-challenge.techbezaleel.net. IN   TXT

;; ANSWER SECTION:
_acme-challenge.techbezaleel.net. 300 IN CNAME  0bc749ee-3512-4cb9-bb92-7d366562f62d.acme.techbezaleel.net.

;; AUTHORITY SECTION:
acme.techbezaleel.net.  300 IN  NS  ns1.acme.techbezaleel.net.

;; ADDITIONAL SECTION:
ns1.acme.techbezaleel.net. 300  IN  A   51.178.171.26

;; Query time: 932 msec
;; SERVER: 56.54.133.200#53(156.154.133.200)
;; WHEN: Wed Jun 10 18:56:11 WAT 2020
;; MSG SIZE  rcvd: 160

nslookup from my local machine

nslookup ns1.techbezaleel.net
Server:     127.0.0.53
Address:    127.0.0.53#53

Non-authoritative answer:
Name:   ns1.techbezaleel.net
Address: 51.78.71.26

Please how can i make scene of these output my firewall shows that port 53 is open but curl cant connect on that port,

[bezaleel22]

sorry this the actual output of nmap on port 53

sudo nmap -p 53 51.178.171.26 -Pn -sU
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-10 19:35 WAT
Nmap scan report for 51.178.171.26
Host is up (0.17s latency).

PORT   STATE SERVICE
53/udp open  domain

Nmap done: 1 IP address (1 host up) scanned in 1.31 seconds

sudo nmap -p 53 51.178.171.26 -Pn    
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-10 19:36 WAT
Nmap scan report for 51.178.171.26
Host is up (0.16s latency).

PORT   STATE SERVICE
53/tcp open  domain

Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds